Terraform Azure Resources

Overview

This set of terraform modules will help you to create and manage a Azure Resources.

It can help you to create a Azure Resources with a simple way. Resources are available in the Terraform Registry.

Unit modules are available in the modules directory based on the resource name.
Composable/pattern modules are available in the modules directory with pattern prefix.

The main goal of this set was to deploy a full Hub and Spoke architecture based on best practices and my own experience. Naming of the resource is based on Azure naming convention.

The gouvernance is not managed (yet) by this set of modules.

Depending of your needs, you can include or not the following resources:

• Virtual Network Gateway to connect to on-premise network
• Azure Firewall to control network traffic
• Azure Bastion to access to Virtual Machine
• Azure Application Gateway to expose web application
• Azure Private DNS Resolver
• Spoke Jump Host accessible from the Internet through Azure Firewall
• Spokes with Virtual Machine
• Key Vault to store secrets (passwords, certificates, ...)

Limitations

• Single subscription
• No vWAN (Virtual WAN) support
• No gouvernance (Azure Policy, ...)
• No Network Security Group (NSG), security rules are managed by Azure Firewall
• All logs and all metrics are sent to Log Analytics Workspace

Terraform modules

You can find all modules in the modules directory. One example is available below.

Network design

The network design is based on Hub and Spoke architecture. Routing is managed by User Defined Route (UDR) and Azure Firewall.

Example

terraform {
  required_version = ">= 1.0.0"
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = ">=3.0.0"
    }
  }
}

provider "azurerm" {
  features {}
}

module "hub_and_spoke" {
  source                                 = "azurerm/resources/azure//modules/pattern_hub_and_spoke"
  location                               = "francecentral"
  firewall                               = true
  gateway                                = true
  bastion                                = true
  address_space_hub                      = ["10.100.0.0/24"]
  spoke_dns                              = true
  address_space_spoke_dns                = ["10.100.1.0/24"]
  spoke_dmz                              = true
  address_space_spoke_dmz                = ["10.100.2.0/24"]
  web_application_firewall               = true
  private_monitoring                     = true
  address_space_spoke_private_monitoring = ["10.100.3.0/27"]
  connection_monitor                     = true
  update_management                      = true
  address_space_spokes = [
    {
      workload        = "shared"
      environment     = "prd"
      instance        = "001"
      address_space   = ["10.100.5.0/24"]
      virtual_machine = false
    },
    {
      workload        = "app1"
      environment     = "dev"
      instance        = "001"
      address_space   = ["10.100.10.0/24"]
      virtual_machine = true
    }
  ]
}

Requirements

No requirements.

Providers

No providers.

Modules

No modules.

Resources

No resources.

Inputs

No inputs.

Outputs

No outputs.